Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I set up a couple of VMs on Azure?

danielbb
Motivator
‎11-29-2024 12:14 PM

We are building a small Splunk installation in Azure and I'm not sure what the architecture should look like. The client came up with the idea based on the following link - Deploying Splunk on Microsoft Azure.

They created an indexer, a search head, and a license server/cluster master. We do need to ingest syslog data from Meraki devices, so I wonder whether we need a heavy forwarder.

Any thoughts?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-30-2024 02:08 AM

Hi @danielbb ,

as also @richgalloway said, there are more parameters that you have to consider:

data volume, HA or not HA, number of users and scheduled searches, etc...

My first hint is to engage a Splunk Certified Architect or a Splunk Professional Services to design your architecture.

You could find some ideas at https://www.splunk.com/en_us/pdfs/tech-brief/splunk-validated-architectures.pdf

E.g.: having only one Indexer, there's no requirements for a Cluster Manager and you can put the License manager on the same Indexer; the Cluster manager is required if you have HA requirements and you have at least two Indexers.

About the HF, it depends on many factors:

where are located your Meraki servers, on premise or in Cloud?

if on-premise it's a best practice to have a concentrator between devices and Indexers, anyway, you could also put (it isn't a best practice) the syslog receiver on the Indexers.

Then how Meraki sends logs? if by syslog, you should configure an rsyslog server or SC4S on a dedicated server.

As I said, I hint to engare a Splunk Certified Architect.

Ciao.

Giuseppe

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-29-2024 12:32 PM

We need more information.  How data will be ingested each day?  How long will that data be retained?  How much searching will the system perform?

If you have a single indexer then there is no need for a Cluster Manager (f.k.a. Cluster Master) and the search head can serve as the License Manager on such a small system.  If larger ingest amounts and for better search performance, multiple indexers may be needed, which call for a Cluster Manager.

Syslog data should not sent directly to a Splunk process.  Instead, send it to a dedicated syslog server (rsyslog or syslog-ng) and write it to disk.  Have a Splunk Universal Forwarder monitor the disk and forward the data to the indexer(s).

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...